Package: typo3-src Severity: critical Tags: security Version: 4.5.3+dfsg1-1, 4.3.9+dfsg1-1
Component Type: TYPO3 Core Affected Versions: 4.3.11 and below, 4.4.8 and below, 4.5.3 and below Vulnerability Types: Cross-Site Scripting (XSS), Information Disclosure, Authentication Delay Bypass, Unserialize() vulnerability, Missing Access Control Overall Severity: High Release Date: July 27, 2011 Vulnerable subcomponent #1: Frontend Vulnerability Type: Cross-Site Scripting Severity: High Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C Problem Description: Failing to properly sanitize URL parameters the "JSwindow" property of the typolink function is susceptible to Cross-Site Scripting. The problem does not exist if the third party extension "realurl" is used and it's configuration parameter "doNotRawUrlEncodeParameterNames" is set to FALSE (default). Vulnerable subcomponent #2: Backend Vulnerability Type: Information Disclosure Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C Problem Description: For authentication attempts with wrong credentials, TYPO3 sends different HTTP-Headers depending if provided username or provided password is wrong. Vulnerability Type: Authentication Delay Bypass Severity: Low Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C Problem Description: The TYPO3 Backend login has a delay for authentication attempts with wrong credentials. By using a crafted request, an attacker is able to bypass the madantory delay in such cases. Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:U/RL:OF/RC:C Problem Description: Failing to properly sanitize an username the admin panel is susceptible to Cross-Site Scripting. Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C Problem Description: Failing to properly sanitize a content element's link attribute the browse_links wizard is susceptible to Cross-Site Scripting. Exploiting requires an attacker to prepare a content element and trick its victim to open the browse_links wizard for this record. Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C Problem Description: Failing to properly sanitize a page title the system extension recycler is susceptible to Cross-Site Scripting. Exploiting requires an attacker to prepare a page and deleted page and trick its victim to visit the recycler. Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C Problem Description: Failing to properly sanitize a page title the tcemain flash message is susceptible to Cross-Site Scripting. Exploiting requires an attacker to prepare a page and trick its victim to copy/move the prepared page. Vulnerability Type: Information Disclosure Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C Problem Description: A TYPO3 Backend user (editor) is able to see workspace changes of records in any languages - even for those he hasn't got granted access to. Vulnerability Type: Information Disclosure Severity: High Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:P/A:N/E:U/RL:OF/RC:C Problem Description: Using "getText" feature on headlines of content elements it is possible to retrieve arbitrary data from TYPO3 database. The vulnerability results from an insecure configuration in css_styled_content system extension. Important Note: Having an adjusted fontTag property in the provided TypoScript (e.g. lib.stdheader.10.1.fontTag) or depending on headlines passed through fontTag might result in unexpected rendering results. Headline rendering is now handled through dataWrap (e.g. lib.stdheader.10.1.dataWrap). Make sure to check your TypoScript before the update and check the wesite rendering after it! Vulnerability Type: Unserialize() vulnerability Severity: High Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:C/A:N/E:U/RL:OF/RC:C Problem Description: Special user input of BE editors is treated as serialized data and is deserialized by TYPO3. This allows BE editors to delete any arbitrary file the webserver has access to. Vulnerable subcomponent #3: Exposed API Vulnerability Type: Cross-Site Scripting Severity: Medium Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C Problem Description: The RemoveXSS function fails to sanitize an attack vector that works in Internet Explorer version 6. Vulnerability Type: Missing Access Control Severity: High Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C Problem Description: ExtDirect endpoints are not associated with TYPO3 backend modules and such TYPO3 access control is not applied on ExtDirect calls. This allows arbitrary BE users to consume any available ExtDirect endpoint service. -- MfG, Christian Welzel GPG-Key: http://www.camlann.de/de/pgpkey.html Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
